Travel managers, and the service providers who assist them,
are having to cope with unprecedented upheaval right now, so what follows is
probably unwelcome news.
Over the next 18 months many companies throughout Europe
(including the UK) will have to change the way they pay for travel if they use
plastic corporate cards for pre-trip purchases.
The new rules are connected with Strong
Customer Authentication, a tightening of identity verification protocol for
making online payments. SCA was originally scheduled to become mandatory in
September 2019. That was pushed back because, says Jeremy Dyball, commercial head
of travel payments for Amadeus, “issuers weren’tready and it would have killed
too manytransactions.”
The new deadlines are 31 December 2020 in the European
Union and 14 September 2021 in the UK.
Intended to reduce fraud, SCA will mean
that typing in a card number, expiry date and three-digit security number will no
longer be accepted as sufficient verification for online purchases. Additional
authentication will be required – the most familiar at present being entering a
one-time password (OTP) sent to the cardholder’s mobile phone. AirPlus
International introduced this measure for its corporate cards on the original
September 2019 deadline.
Get ready for SCA
1. Sidestep
SCA complications entirely by using lodge and virtual instead of plastic cards
for all pre-trip purchases.
2. Review your
use cases of plastic cards with your issuer and TMC to understand where SCA
could apply and if the transaction may be considered exempt.
3. In
particular, check whether personal or corporate plastic cards stored within
your travel service providers’ systems can continue to be used. If there is a
problem, ask your issuer and TMC what solutions they propose.
4. Examine the
possibility of whitelisting.
5. End all
shared use of plastic cards.
6. Make sure
your issuer has all travellers’ phone numbers for one-time password
communication.
7. Inform
unions/workers’ councils in relevant countries like Germany and France.
SCA brings the curtain down on some time-honoured but
woefully risky business travel payment practices where the holder of a plastic
card isn’t available to authenticate.
“Some companies may no longer be able to
use shared cards, such as those held by an administrator on behalf of a team or department,”
says Clive Cornelius, head of travel for Visa’s Business Solutions Europe
division.
“I can’t give my corporate card to my secretary anymore and ask them to buy
stuff online,” says Maria Parpou,chief product & commercial officer for commercial
payments at Barclaycard. “That message has landed. Corporate cards are
increasingly being used only for expenses on the road.”
Also likely to go the way
of the dodo is travel management companies using a client traveller’s plastic
card number stored in their system to pay for bookings the TMC makes on public
websites.
“In some cases, such as using a visa service, the TMC may have to pay for
it up-front and invoice the client,” warns AirPlus UK managing director Paul
Spelman.
Happily, several kinds of exemption potentially leave many forms of
corporate travel payment unchanged by SCA. Most importantly by far, lodge cards (centrally
billed accounts) and virtual cards are not affected – a huge relief for the
travel industry given that applying SCA to payment processes not associated with
an individual payer would have been logistically close to impossible.
“The basis
for the exemption is that historically fraud rates are very low,” Spelman
explains. “We now have to report on that. To retain the exemption, the fraud rate
must not exceed 0.01 per cent, which is only £100 for every £1 million spent. But
these products historically have been below that.
Fraud rates are especially low
on virtual cards because controls can be applied to where each card can be used,
when and for what.
To keep fraud super-low, “we now insist these controls are
used,” says Spelman.
Card payments are also exempted if they are whitelisted. This
is a list that cardholders can create of trusted beneficiaries (named payees)
for which they confirm SCA is not needed.
And there is also an exemption for
any payments, including with plastic cards, for transactions made through a
“secure corporate environment.” This could, in theory, include business travellers
booking through an online booking tool, or TMCs booking on a traveller’s behalf
through a global distribution system (as opposed to through a public website).
Sounds
great, but…
All these exemptions sound very helpful. Unfortunately, says
Francesco Cerlienco, EMEA head of product for Citi Commercial Cards, three major unresolved
complications could yet throw a huge spanner into the smooth workings of
corporate travel payments.
The first challenge applies to situations where no
exemptions apply and therefore SCA is required. The basis of SCA is that two
kinds of authentication must be used from something you know (such as an OTP), something
you possess (such as a card) and something you are (biometric ID).
It was
originally understood that a 16-digit plastic card number would count as
something you possess but last year the European Banking Authority ruled this
out. “A text message delivering an OTP has to become the possession factor,
which means we need another factor,” says Cerlienco.
Solutions that issuers are
looking at include asking cardholders to input two digits from their card PIN
or using fingerprint recognition. Both have their downsides: cardholders can
forget PINs and not all cardholders have smartphones, or are necessarily prepared
to use them for work purposes, especially in countries such as Germany and France
where workers’ councils or unions are powerful.
The next problem is the whitelisting
exemption. Card schemes are introducing different processes, leading to
inconsistencies. Perhaps even more seriously, says Cerlienco, “there is no
database of clean merchant names.”
For example, the same airline might use one
business entity to charge clients for a flight to Brussels and a different one
for a flight to New York. Perhaps the biggest uncertainty of all is over flagging. As discussed, there is a secure corporate process exemption for online booking tool reservations or TMC bookings that flow through a GDS.
That’s just as well, because payment for those bookings is
often not processed at point of sale but hours later – often the next day.
“There’s no way you can do SCA in those circumstances,” says Cerlienco.
Therefore
a “flag” has to be produced within the reservation and payment process to
alert the card issuer that the transaction has taken place within a secure environment
and qualifies for exemption.
Two challenges arise. The first, says Cerlienco,
is that “Visa and Mastercard have developed flags but other stakeholders in
the process are in different states of readiness. The travel industry is
moving very slowly, especially the traditional airlines.”
The Brexit effect
Once the transition period for the UK’s
withdrawal from the European Union expires (still scheduled for 31 December 2020
at time of writing), customers based in the UK will only be allowed to receive
cards from UK entities of EU-based issuers. Likewise, says AirPlus’s Paul
Spelman, “if your UK-based issuer doesn’t have an EU-based entity, it may not be
able to serve you in the EU.” Not all issuers will necessarily be set up for
both UK and EU issuance, so it is definitely worth checking with your provider. Keep an eye out too for divergence between EU and UK regulators, of which there
are already some early signs. This could eventually pose challenges to
pan-European card programmes.
The other difficulty
is that applying the exemption is at the discretion of the issuer. “We will be
honouring those flags but other issuers are taking the view that a flag is
not enough because they are not in control of the situation.”
Parpou agrees flagging is an unresolved issue. “We will accept it but there’s some ambiguity about
whether it’s acceptable within the regulations,” she says. “As a card issuer I
have no means to check the flags. We will monitor this closely.”
This
profusion of complexities explains why, according to AirPlus’s Spelman, “we
will really push our customers to use plastic just for on-trip expenditure,
which also helps keep their credit levels down.”
Sticking to lodge or virtual cards
is the only sure-fire way to avoid getting entangled in the uncertainties of
SCA.
Will they ever understand?
At the same time, the card and travel
industries believe regulators have still not grasped the complexities of travel
payments. Although the battle for travel industry exemptions is over on a pan-European
level, efforts continue on a national basis.
The association UK Banking, for
example, has formed a hospitality and travel group to engage with the Financial
Conduct Authority on the implementation of SCA in the UK. And don’t rule out a
further delay to SCA in its entirety given the distraction of more momentous global
events beyond the world of e-commerce payments.
This has already happened in
the UK, where the FCA has allowed an extra six months because of coronavirus,
and payment companies are pushing hard for another postponement in the EU.
“Only
about 30 per cent of merchants are ready for SCA and coronavirus won’t help with
this,” says Parpou. “Maybe legislators will say it’s not the right time to
create further friction within the process.”